malwarewikiaorg-20200223-history
VirusInfo:Microsoft Windows System Reference
This page exists as a reference for Microsoft Windows-specific items that would be too repetitive and/or tedious to write for every article. Also it is to keep long path names that would make the page itself look ugly in one place. System Folder The System folder contains programs, libraries and other files necessary to run the computer. On Windows 95, 98 and ME, it is located in the folder C:\Windows\System. On Windows 2000, NT, and XP it is in C:\WINNT\System32. Worms usually install themselves to this folder. Windows Folder The directory above the System folder (WINNT or Windows) is the "Windows folder". Worms seem to prefer the system folder, but they may also have some use for this one. Startup Folder In Windows 95, 98 and ME, located at C:\Windows\Start Menu\Programs\Startup\. In Windows 2000, NT and XP, C:\Documents and Settings\\Start Menu\Programs\Startup\. Registry The Registry is a directory that stores system and program settings. Worms often use the registry to make sure they start upon the system being started. The Windows registry consists of six subtrees, five of which are visible to the user, beginning with HKEY. A typical registry key works in a similar way to a file path name, using backslashes (\) to indicate levels of hierarchy. HKEY_LOCAL_MACHINE, referred to on this wiki as the "local machine registry key," is the subtree that contains settings relevant to all users on the computer. HKEY_CURRENT_USER, referred to on this wiki as the "current user registry key", contains settings relevant to the currently logged in user. HKEY_USERS, referred to on this wiki as the "users registry key", contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine. HKEY_CLASSES_ROOT referred to on this wiki as the "root registry key" contains settings relevant to registered applications. On Windows 2000 and above, HKCR is a compilation of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. If a given value exists in both of the subkeys above, the one in HKEY_CURRENT_USER\Software\Classes is used. HKEY_CURRENT_CONFIG referred to on this wiki as the "current configuration key", contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time. HKEY_PERFORMANCE_DATA referred to on this wiki as the "performance data key" provides runtime information into performance data provided by either the NT kernel itself or other programs that provide performance data. This key is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API. Startup Registry Keys and Details These are registry keys that worms commonly use to make certain that they start when the computer starts. Assuming the description of the worm is decent, it should be very easy to tell exactly which key a particular worm uses. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run These programs automatically start when any user is logged in. It is used for all users on this computer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished. Also the RunOnceEx registry key does not create a separate processes. The RunOnceEx registry key also support a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices These programs automatically start when the system is loading before the user logs in. It is used for service applications - antivirus, drivers etc. In Windows NT/2000/XP it could be canceled by admin to use other service startup sections. Read more at services startup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce These programs automatically start only once when the system is loading as service application and items are deleted after the Windows boot process have finished. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon This key deals with logons HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The programs here automatically start when the current user logs in. It is used only for current logoned user. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce The programs here automatically start only once when the current user logs in and it will be deleted after the Windows boot process would have finished. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts This key contains a list of the current user's email account. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The programs here automatically will be copied into HKEY_CURRENT_USER\...\Run for every new user account. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce The programs here automatically will be copied into HKEY_CURRENT_USER\...\RunOnce for every new user account. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal This key lists the current users personal folders. HKEY_CLASS_ROOT\txtfile\shell\open\command This registry key sets the default application for opening text files. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows This is another registry key that causes programs to run on startup. HKEY_CURRENT_USER\Software\Microsoft\Office\ This is a registry key containing information about Microsoft Office. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units This registry key's use has not yet been determined. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version Key used by the Mydoom worm. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Key used by the Mydoom worm. Sources Wikipedia, Windows Registry Microsoft Corporation. Microsoft Windows 2000 Professional Resource Kit, Part 7 "Troubleshooting", Registry Editors, pp. 1448-1452. Microsoft Press: Redmond, Washington. 2000 ISBN: 1572318082 Windows Registry Startup Sections for Startup Programs Rusty Russell, Daniel Quinlan, Christopher Yeoh. Filesystem Hierarchy Standard Group, Filesystem Hierarchy Standard. 1994-2004